#!/usr/bin/env bash

# Copyright 2024 Flant JSC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

source /shell_lib.sh

function __config__(){
  cat <<EOF
configVersion: v1
kubernetes:
  - name: global-module-config
    apiVersion: deckhouse.io/v1alpha1
    kind: ModuleConfig
    executeHookOnEvent: []
    executeHookOnSynchronization: false
    keepFullObjectsInMemory: false
    nameSelector:
      matchNames:
      - global
    jqFilter: |
      {
        "publicDomainTemplate": .spec.settings.modules.publicDomainTemplate,
      }
kubernetesValidating:
- name: clusterdomainaliases-policy.deckhouse.io
  group: main
  includeSnapshotsFrom: ["global-module-config"]
  rules:
  - apiGroups:   ["deckhouse.io"]
    apiVersions: ["*"]
    operations:  ["CREATE", "UPDATE"]
    resources:   ["moduleconfigs"]
    scope:       "Cluster"
EOF
}

function __main__() {
  mcName=$(context::jq -r '.review.request.object.metadata.name')
  if [[ "$mcName" == "kube-dns" ]]; then
    publicDomainTemplate=$(context::jq -r '.snapshots.["global-module-config"][].filterResult["publicDomainTemplate"]' | sed s/%s.//)
    clusterDomainAliases=$(context::jq -r '.review.request.object.spec.settings.clusterDomainAliases[]?')

    for alias in $clusterDomainAliases; do
      if [[ $publicDomainTemplate == $alias ]]; then
        cat <<EOF > "$VALIDATING_RESPONSE_PATH"
{"allowed":false, "message":"The clusterDomainAliases \"$alias\" MUST NOT match the one specified in the publicDomainTemplate parameter of the resource: \"%s.$publicDomainTemplate\"." }
EOF
      return 0
      fi
    done
  fi
cat <<EOF > "$VALIDATING_RESPONSE_PATH"
{"allowed":true}
EOF
}

hook::run "$@"
